On 2020-09-01 4:04 pm, Marco Shmerykowsky via samba
wrote:> On 2020-09-01 1:57 pm, Marco Shmerykowsky via samba wrote:
>> On 2020-09-01 1:36 pm, Stefan G. Weichinger via samba wrote:
>>> Am 01.09.20 um 19:07 schrieb Marco Shmerykowsky via samba:
>>>> A little off topic, but this does revolve around
>>>> Samaba.
>>>>
>>>> I'm hoping someone can help me get to a working aolution.
>>>> I haven't been able to find a clear quide, but it must
>>>> have been done by others.
>>>>
>>>> I'm trying to use setup a VPN using OpenVPN on Pfsense
>>>> with authentication via my Samba AD (Version 4.9.4-Debian)
>>>>
>>>> I keep getting a "Could not connect to LDAP server"
error
>>>> when tying to configure the authentication server. When
>>>> I try to test the server I get a "Attempting to fetch
Organizational
>>>> Units from XXXX failed" error.
>>>>
>>>> The "button" in the gui that allows for
"selecting a container"
>>>> for setting the authentication container doesn't work so
>>>> I set it manually (CN=users;DC=internal,DC=company,DC=com)
>>>>
>>>> I've copied the ca.pem, cert.pem and key.pem files over to
>>>> pfsense to create the certificates.
>>>>
>>>> The authentication server is set to type "LDAP" using
a
>>>> transport of "TCP - standard" and a port of 389.? The
>>>> Peer Certificate Authority uses the cert created from
>>>> importing ca.pem.? The client certificate uses the cert
>>>> created from importing cert.pem and key.pem.
>>>>
>>>> The base DN is correct (DN=internal,DN=company,DN=com).
>>>>
>>>> The pfsense box can resolve the host name of the Samaba
>>>> machine? (machine.internal.company.com).
>>>>
>>>> I have it set to use anonymous binds.
>>>>
>>>> Some kind of connection issue I gather with connecting
>>>> to the Samba internal LDAP server.
>>>>
>>>> Can anyone please point me in the correct direction? Thanks.
>>>
>>> I hit that as well, you might be able to find it in the ML archive.
>>>
>>> For me it was crucial to import the CA certs of the Samba AD DCs
into
>>> pfsense.
>>>
>>> Additionally it was super important to use the correct and matching
>>> FQDN
>>> of one (I didn't yet manage to set up some redundant alias yet)
AD DC
>>> in
>>> the "Authentication Server" setup on pfsense.
>>>
>>> I created a separate bind-user for pfsense, not anonymous.
>>>
>>> And SSL-encrypted via Port 636 ... while using the imported CA
there.
>>>
>>> This as a start, feel free to ask more, I have at least 3 such
>>> installations working.
>>
>> Thanks. Some progress. I changed the Transport to SSL-encrypted
>> via 636 and created a a separate bind user. The bind user is
>> entered as "CN=binduser,CN=users,DC=internal,DC=company,DC=com.
>>
>> The server checks out. However, when I run
>> Diagnostics->Authentication
>> although the user is checks out as authenticated, the groups the
>> user belongs to are not listed.
>>
>> Must be still missing something.
>
> UGH. It was working & then it stopped working.
> No clue what I could have changed.
>
> Does "ldap server require strong auth" need to be set to
'no'
> or is that currently required?
I get only get the tests in Pfsense working consistently if I
set the following:
Protocol TCP - Standard on Port 389
"ldap server require strong auth = no" in smb.conf
I'm getting TLS handshake failed on the remote client, so I'm still
doing something wrong.....